CVE Database

36709+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2026-26150
8.6 HIGH

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

Apr 23, 2026
CVE-2026-6940
7.1 HIGH

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths …

Apr 23, 2026
CVE-2026-41279
7.5 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the text-to-speech generation endpoint (POST /api/v1/text-to-speech/generate) …

Apr 23, 2026
CVE-2026-41278
7.5 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the …

Apr 23, 2026
CVE-2026-41277
8.8 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the …

Apr 23, 2026
CVE-2026-41275
7.5 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com …

Apr 23, 2026
CVE-2026-41273
8.2 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise contains an authentication bypass vulnerability …

Apr 23, 2026
CVE-2026-41272
7.1 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers (secureAxiosRequest and …

Apr 23, 2026
CVE-2026-41271
8.3 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) vulnerability …

Apr 23, 2026
CVE-2026-41270
7.1 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery (SSRF) protection …

Apr 23, 2026
CVE-2026-41269
7.1 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the Chatflow configuration file upload settings …

Apr 23, 2026
CVE-2026-41267
8.1 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, an improper mass assignment (JSON injection) …

Apr 23, 2026
CVE-2026-41266
7.5 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including …

Apr 23, 2026
CVE-2026-41138
8.8 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution …

Apr 23, 2026
CVE-2026-41137
8.8 HIGH

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom …

Apr 23, 2026
CVE-2026-41259
7.5 HIGH

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on …

Apr 23, 2026
CVE-2026-41246
8.1 HIGH

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua …

Apr 23, 2026
CVE-2026-41241
8.7 HIGH

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails …

Apr 23, 2026
CVE-2026-41205
7.5 HIGH

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). …

Apr 23, 2026
CVE-2026-40886
7.7 HIGH

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the …

Apr 23, 2026
CVE-2026-6921
8.3 HIGH

Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video …

Apr 23, 2026
CVE-2026-5039
8.8 HIGH

TP-Link TL-WR841N v13 uses DES-CBC encryption in the TDDPv2 debug protocol with a cryptographic key derived from default web management credentials, making the key predictable …

Apr 23, 2026
CVE-2026-34003
7.8 HIGH

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the …

Apr 23, 2026
CVE-2026-34001
7.8 HIGH

A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence() function. An …

Apr 23, 2026
CVE-2026-33999
7.8 HIGH

A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local …

Apr 23, 2026
CVE-2026-41461
8.5 HIGH

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter …

Apr 23, 2026
CVE-2025-70994
7.3 HIGH

Yadea T5 Electric Bicycles (models manufactured in/after 2024) have a weak authentication mechanism in their keyless entry system. The system utilizes the EV1527 fixed-code RF …

Apr 23, 2026
CVE-2026-31532
7.8 HIGH

In the Linux kernel, the following vulnerability has been resolved: can: raw: fix ro->uniq use-after-free in raw_rcv() raw_release() unregisters raw CAN receive filters via can_rx_unregister(), …

Apr 23, 2026
CVE-2026-6903
7.5 HIGH

The LabOne Web Server, backing the LabOne User Interface, contains insufficient input validation in its file access functionality. An unauthenticated attacker could exploit this vulnerability …

Apr 23, 2026
CVE-2026-5464
7.2 HIGH

The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all …

Apr 23, 2026
CVE-2026-41564
7.5 HIGH

CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed …

Apr 23, 2026
CVE-2026-41040
7.5 HIGH

GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.

Apr 23, 2026
CVE-2026-34488
7.3 HIGH

IP Setting Software contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code …

Apr 23, 2026
CVE-2026-41231
7.5 HIGH

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter …

Apr 23, 2026
CVE-2026-41230
8.5 HIGH

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline …

Apr 23, 2026
CVE-2026-41208
8.8 HIGH

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Versions of @paperclipai/server prior to 2026.416.0 …

Apr 23, 2026
CVE-2026-41206
7.8 HIGH

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis …

Apr 23, 2026
CVE-2026-41180
7.5 HIGH

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using …

Apr 23, 2026
CVE-2026-5935
7.3 HIGH

IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands with …

Apr 23, 2026
CVE-2026-40062
7.5 HIGH

A path Traversal vulnerability exists in Ziostation2 v2.9.8.7 and earlier. A remote unauthenticated attacker may get sensitive information on the operating system.

Apr 23, 2026
CVE-2026-3621
7.5 HIGH

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application …

Apr 23, 2026
CVE-2026-32679
7.8 HIGH

The installers of LiveOn Meet Client for Windows (Downloader5Installer.exe and Downloader5InstallerForAdmin.exe) and the installers of Canon Network Camera Plugin (CanonNWCamPlugin.exe and CanonNWCamPluginForAdmin.exe) insecurely load Dynamic …

Apr 23, 2026
CVE-2026-41455
8.5 HIGH

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction …

Apr 22, 2026
CVE-2026-41454
8.3 HIGH

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper …

Apr 22, 2026
CVE-2026-41175
8.1 HIGH

Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST …

Apr 22, 2026
CVE-2026-40517
7.8 HIGH

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a …

Apr 22, 2026
CVE-2026-41166
7.0 HIGH

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to …

Apr 22, 2026
CVE-2026-41134
7.8 HIGH

Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks …

Apr 22, 2026
CVE-2026-40937
8.3 HIGH

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` …

Apr 22, 2026
CVE-2026-40882
7.6 HIGH

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user …

Apr 22, 2026

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.